Acrobat Reader plugin vulnerable to attacks

Security researchers studying over a weakness in the browser plugin for Adobe's Reader program

Security researchers are poring over what one vendor has called a "breathtaking" weakness in the Web browser plugin for Adobe Systems Inc.'s Acrobat Reader program, used to open the popular ".pdf" file format.

The problem was first highlighted by Stefano Di Paola and Giorgio Fedon, researchers who presented a paper in Berlin last week on security issues related to Web 2.0 technologies such as AJAX (Asynchronous JavaScript and extensible markup language).

The Acrobat weakness involves a feature called "open parameters" in the Web browser plugin for Adobe's Reader program.

The plugin allows arbitrary JavaScript code to run on the client side. The code could include a malicious attack on a computer, wrote Hon Lau on Symantec's Security Response Weblog on Wednesday.

"The ease in which this weakness can be exploited is breathtaking," Lau wrote. "What this means in a nutshell is that anybody hosting a .pdf, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime."

Any Web site hosting a .pdf file could be manipulated to run an exploit, Lau wrote. Because an exploit is relatively easy to craft, Lau predicted attacks will start until it is fixed.

In their research paper, Di Paola and Fedon wrote that the type of attack used to exploit the problem is called universal cross-site scripting, which uses a flaw in the browser rather than a vulnerability within a Web site. A cross-site scripting attack involves the unintended execution of code as part of a query string contained within a URL (uniform resource locator).

Another Symantec blogger, Zulfikar Ramzan, wrote that attackers can exploit a cross-scripting vulnerability by creating a special URL that points to the Web page. In that URL, the attacker would code it to include some of his own content -- such as a form soliciting passwords or credit-card information -- that would be displayed on the targeted Web page.

When victims click on the URL -- which, for example, could be included in a link enclosed in e-mail -- they would be directed to the Web page. If they fill out information on a form on the page, it could be passed to the attacker without the victim knowing the site had been tampered with, Ramzan wrote.

"The result is that the user is lulled into a false sense of security since he trusts the site and therefore trusts any transaction he has with it, even though in reality he is transacting with an attacker," Ramzan wrote.

An Adobe spokesman contacted in London on Wednesday afternoon could not immediately comment.

In highlighting the problem with the Reader plugin, the researchers Di Paola and Fedon warned that Web 2.0 applications -- such as Google's Gmail and Google Maps, both of which employ AJAX -- will need to be more tightly tied to the security of Web browsers.

Otherwise, the plethora of features in those applications "can be turned into weapons if controlled by a malicious hacker," they wrote.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Brother MFC-L3745CDW Colour Laser Multifunction

Learn more >

Mobile

Exec

Sony WH-1000XM4 Wireless Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?